How Banking Trojans Empty Your Online Accounts

Below:

Next story in Security

In the arms race between malware writers and your bank for
control of your online account, the game is akin to Whack-A-Mole,
and the criminals have a big advantage — at least for now.

"These guys are well ahead of the security community," said Karim
Hijazi, CEO of Unveillance, a Wilmington, Del., company that
provides computer security for corporations and specializes in
eliminating malware. "They can make mistakes, but we can't. One
error on our part is a mess."

Cybercriminals, in other words, can practice all they want, and
it doesn't matter if they fail. A bank that fails only once in
its defenses, on the other hand, can
lose millions of dollars and end up with as just many
compromised accounts.

It might sound like the situation is hopeless, but it isn't
completely. That's because it's not the bank itself that's the
problem. Often,
it's the customer.

There are several kinds of attacks, but the most popular use
variations on botnet-creating, information-stealing Trojans. A
botnet Trojan is a small program that first infects a
computer and then, acting in concert with others of its kind,
sends information from infected computers to remote servers.

Botnet Trojans, whether or not they're programmed to steal
banking credentials, often get into computers when a user opens a
corrupted email attachment or visits a compromised website.

When thousands of copies of a botnet Trojan have been installed
on computers all over the Internet, you get a network of machines
under the remote control of a cybercriminal — a botnet. The
owners of the infected machines usually aren't even aware that
anything wrong is happening.

In some cases, botnets are used to mount
distributed denial-of-service (DDoS) attacks, send out spam
emails or even crack encrypted data. Banking Trojan botnets,
which so far are known to only infect Windows PCs, are used
specifically to snag login credentials to PayPal or to online
bank accounts.

Banks are constantly refining online account security by coming
up with new methods for authenticating users. These methods
include having users type in passwords using an onscreen
keyboard, send text messages to users' phones, answer
identity-verification secret questions and by carry
electronic keyfobs that generate random authentication
tokens. Two or more verification methods are often combined for
even greater security.

Attacking the user

Facing such obstacles, online criminals have turned instead to
hijacking bank clients' computers, which is a lot easier than
attacking the bank itself.

"It is incredibly hard to control what computer users come in
from," said Josh Daymont, principal of Atlanta-based Securisea.

It's also easier for criminals to attack a client's computer than
to try to listen to unencrypted wireless traffic.

Classic "man-in-the-middle" attacks do occur in which a criminal
will secretly position himself between a customer and his online
account, but listening to data traffic in a coffee shop or
airport might snag only a few passwords.

A good banking Trojan, such as
Zeus or its rival
SpyEye, is much more sophisticated. Thousands of times per
day, banking Trojans embed themselves into unsuspecting users'
Web browsers, silently wait until they log into banking websites
and then send the login credentials to remote servers operated by
cybercriminals.

In a matter of days, such "boy in the browser" attacks, if
well-distributed, can snag a million sets of account details,
which can then be re-sold on the black market. Banking Trojans
are inexpensive to buy and run, making such operations much more
profitable than staking out airport departure lounges.

Aitel points that all users will sooner or later make a mistake
and click on the wrong link or open the wrong attachment.

"Ultimately, there's no really good way to stop people from
stealing credentials," he said.

Fighting back: Traffic cops

To fight this kind of attack, many security pros are turning to
analyzing network traffic in and out of corporate servers. For
instance, rather than try to eliminate malware directly, some
companies look for the traffic patterns that give away a banking
Trojan like Zeus.

"We have these tools that can analyze net traffic to see if
there's anything that points to suspicious activity," said Tak
Chijiiwa, principal consultant at Toronto-based Security Compass.
"It's a way to become a bit more preventative and reduce the
window of opportunity [for data thieves]."

Unveillance's Hijazi noted that in some cases, law enforcement
will subpoena the records of the servers hosting the domains to
which the botnet Trojans are sending the data. It's not uncommon
for the server owners to be completely unaware anything criminal
is going on.

Once the records are in hand, the identities of the botnet's
masters can be found, although sometimes that doesn't help much
if the operators aren't in the United States.

Of course, cybercriminals and the hackers who work for them have
come up with ways for malware to avoid detection.

Hijazi said one method is for malware distributors to just send
out lots of infectious software at once. Typical anti-virus software will pick up some of
it, perhaps even most of it, but the really sophisticated
Trojan will be buried somewhere the anti-virus software wasn't
told to look — and the user will think his computer is clean.

How to protect yourself

On the bright side, users' computers are actually getting better
at resisting banking Trojans. Aitel said Google's inexpensive
Chromebooks, for example, are actually quite good at stopping
most Trojans and malware — ideal for a small business to dedicate
to online banking.

Other security experts recommend using a "live" CD, in which a PC
runs Linux from a compact disc, or a Mac to do online banking.
(The recent
wave of Mac Trojans may make the latter option less
appealing.)

Eventually, it may become so difficult to infect a PC with a
banking Trojan that the criminals will move on to other ways of
making money.

That's a key point the experts make: Digital criminals take the
path of least resistance. Making, buying and operating banking
Trojans is simply too cheap and easy — at least for now. That
will change, just as the situation did for directly attacking
banks.

So what's ahead? Once the defense against banking Trojans gets
good enough, expect a new round of threats to focus on mobile
devices.

Chijiiwa said his firm is being asked to test smartphones and
tablets more often, and he expects that will become the focus of
criminal activity.